function RULE_CHECK
{
- # System ~PKG~ rwxat
- if [ "$1" == "System" ] && [[ "$2" == *"::Pkg::"* ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System ~PKG~::RO rwxat
- elif [ "$1" == "System" ] && [[ "$2" == *"::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System ~PKG~::SharedRO rwxat
- elif [ "$1" == "System" ] && [[ "$2" == *"::Pkg::"*"::SharedRO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # User ~PKG~ rwxat
- elif [ "$1" == "User" ] && [[ "$2" == *"::Pkg::"* ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # User ~PKG~::RO rwxat
- elif [ "$1" == "User" ] && [[ "$2" == *"::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # User ~PKG~::SharedRO rwxat
- elif [ "$1" == "User" ] && [[ "$2" == *"::Pkg::"*"::SharedRO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System User::App::Shared rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "User::App::Shared" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System ~APP~ rwx
- elif [ "$1" == "System" ] && [[ "$2" == *"::App::"* ]]
- then
- if [ "$3" == "rwx" ]
- then
- return 0
- fi
- # ~APP~ System wx
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "System" ]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # ~APP~ System::Shared rxl
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "System::Shared" ]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- # ~APP~ System::Run rwxat
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "System::Run" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # ~APP~ System::Log rwxa
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "System::Log" ]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # ~APP~ _ l
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "_" ]
- then
- if [ "$3" == "l" ]
- then
- return 0
- fi
- # ~APP~ User::App::Shared rwxat
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "User::App::Shared" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # User User::App::Shared rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "User::App::Shared" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # User ~APP~ rwx
- elif [ "$1" == "User" ] && [[ "$2" == *"App"* ]]
- then
- if [ "$3" == "rwx" ]
- then
- return 0
- fi
- # ~APP~ User wx
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "User" ]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # ~APP~ User::Home rxl
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "User::Home" ]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- # SharedRO
- # ~App~ ~Pkg~::SharedRO rwxat : same app and pkg
- # ~App~ ~Pkg~::SharedRO rx : diffrent app and pkg
- elif [[ "$1" == *"::App::"* ]] && [[ "$2" == *"::Pkg::"*"::SharedRO" ]]
- then
- pkgname=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
- appname=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
- pkgname_db=$(/usr/bin/sqlite3 $dbpath "select DISTINCT pkg_name from user_app_pkg_view where app_name='$appname';")
-
- if [ "$pkgname" == "$pkgname_db" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- else
- if [ "$3" == "rx" ]
- then
- return 0
- fi
- fi
- # ~APP~ ~PKG~::RO rxl
- elif [[ "$1" == *"::App::"* ]] && [[ "$2" == *"::Pkg::"*"::RO" ]]
- then
- pkgname=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
- appname=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
- pkgname_db=$(/usr/bin/sqlite3 $dbpath "select DISTINCT pkg_name from user_app_pkg_view where app_name='$appname';")
-
- if [ "$pkgname" == "$pkgname_db" ]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- fi
- # ~APP~ ~PKG~ rwxat
- elif [[ "$1" == *"::App::"* ]] && [[ "$2" == *"::Pkg::"* ]]
- then
- pkgname=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
- appname=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
- pkgname_db=$(/usr/bin/sqlite3 $dbpath "select DISTINCT pkg_name from user_app_pkg_view where app_name='$appname';")
-
- if [ "$pkgname" == "$pkgname_db" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- fi
- # ~APP~ ~AUTHOR~ rwxat
- elif [[ "$1" == *"::App::"* ]] && [[ "$2" == *"Author"* ]]
- then
- authorID=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
- appname=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
- authorID_db=$(/usr/bin/sqlite3 $dbpath "select DISTINCT author_id from user_app_pkg_view where app_name='$appname';")
-
- if [ "$authorID" == "$authorID_db" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- fi
- # User ~AUTHOR~ rwxat
- elif [ "$1" == "User" ] && [[ "$2" == *"Author"* ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System ~AUTHOR~ rwxat
- elif [ "$1" == "System" ] && [[ "$2" == *"Author"* ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # From here, default 3-Domain Rule Check
- # _ System rwxa
- elif [ "$1" == "^" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # ^ System::Log rwxa
- elif [ "$1" == "^" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # ^ System::Run rwxat
- elif [ "$1" == "^" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # _ System wx
- elif [ "$1" == "_" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # _ System::Run rwxat
- elif [ "$1" == "_" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System System::Log rwxa
- elif [ "$1" == "System" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # System System::Run rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System System::Shared rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "System::Shared" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System User rwx
- elif [ "$1" == "System" ] && [[ "$2" == "User" ]]
- then
- if [ "$3" == "rwx" ]
- then
- return 0
- fi
- # System User::Home rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "User::Home" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System _ rxl
- elif [ "$1" == "System" ] && [[ "$2" == "_" ]]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- if [ "$3" == "rwx" ]
- then
- return 0
+ #System ~PROCESS~ rwx
+ #System ~PATH_RW~ rwxat
+ #need to be modified later
+ if [ "$1" == "System" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwx" ] || [ "$3" == "rwxat" ] # should be checked
+ then
+ return 0
+ fi
+ #System::Privileged ~PROCESS~ rwx
+ #System::Privileged ~PATH_RW~ rwxat
+ #need to be modified later
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwx" ] || [ "$3" == "rwxat" ] # should be checked
+ then
+ return 0
+ fi
+ #~PROCESS~ System wx
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System" ]
+ then
+ if [ "$3" == "wx" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ System::Privileged wx
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System::Privileged" ]
+ then
+ if [ "$3" == "wx" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ System::Shared rxl
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System::Shared" ]
+ then
+ if [ "$3" == "rxl" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ System::Run rwxat
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System::Run" ]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ System::Log rwxa
+ elif [[ "$1" == "User::Pkg:"* ]] && [ "$2" == "System::Log" ]
+ then
+ if [ "$3" == "rwxa" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ _ l
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "_" ]
+ then
+ if [ "$3" == "l" ]
+ then
+ return 0
+ fi
+ #User ~PROCESS~ rwx
+ #need to be checked later
+ elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwx" ] || [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ User wx
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "User" ]
+ then
+ if [ "$3" == "wx" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ User::Home rxl
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "User::Home" ]
+ then
+ if [ "$3" == "rxl" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ User::App::Shared rwxat
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "User::App::Shared" ]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ ~PATH_RO~ rxl
+ elif [[ "$1" == "User::Pkg::"* ]] && [[ "$2" == "User::Pkg"*"::RO" ]]
+ then
+ if [ "$3" == "rxl" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ ~PATH_SHARED_RO~ rwxat (self)
+ elif [[ "$1" == "User::Pkg::"* ]] && [[ "$2" == "$1""::SharedRO" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ ~PATH_SHARED_RO~ rx (other)
+ elif [[ "$1" == "User::Pkg::"* ]] && [[ "$2" == "User::Pkg"*"::SharedRO" ]] && [[ "$2" != "$1""::SharedRO" ]]
+ then
+ if [ "$3" == "rx" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ ~PATH_TRUSTED~ rwxat
+ elif [[ "$1" == *"::Pkg::"* ]] && [[ "$2" == *"::Author::"* ]]
+ then
+ authorID=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
+ pkgname=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
+ authorID_db=$(/usr/bin/sqlite3 $dbpath "select DISTINCT author_id from user_app_pkg_view where pkg_name='$pkgname';")
+ if [ "$authorID" == "$authorID_db" ]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ fi
+ #User ~PATH_TRUSTED~ rwxat
+ elif [ "$1" == "User" ] && [[ "$2" == *"::Author::"* ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #System ~PATH_TRUSTED~ rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == *"::Author::"* ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #System::Privileged ~PATH_TRUSTED~ rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"::Author::"* ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #System ~PATH_RO~ rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #System ~PATH_SHARED_RO~ rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == "User::Pkg::"*"::SharedRO" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #System::Privileged ~PATH_RW~ rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #System::Privileged ~PATH_RO~ rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #System::Privileged ~PATH_SHARED_RO~ rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"*"::SharedRO" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #User ~PATH_RW~ rwxat
+ elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #User ~PATH_RO~ rwxat
+ elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ #User ~PATH_SHARED_RO~ rwxat
+ elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg"*"::SharedRO" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # From here, default 3-Domain Rule Check
+ # _ System rwxa
+ elif [ "$1" == "^" ] && [[ "$2" == "System" ]]
+ then
+ if [ "$3" == "rwxa" ]
+ then
+ return 0
+ fi
+ # ^ System::Log rwxa
+ elif [ "$1" == "^" ] && [[ "$2" == "System::Log" ]]
+ then
+ if [ "$3" == "rwxa" ]
+ then
+ return 0
+ fi
+ # ^ System::Run rwxat
+ elif [ "$1" == "^" ] && [[ "$2" == "System::Run" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # _ System wx
+ elif [ "$1" == "_" ] && [[ "$2" == "System" ]]
+ then
+ if [ "$3" == "wx" ]
+ then
+ return 0
+ fi
+ # _ System::Run rwxat
+ elif [ "$1" == "_" ] && [[ "$2" == "System::Run" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System System::Log rwxa
+ elif [ "$1" == "System" ] && [[ "$2" == "System::Log" ]]
+ then
+ if [ "$3" == "rwxa" ]
+ then
+ return 0
+ fi
+ # System System::Run rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == "System::Run" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System System::Shared rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == "System::Shared" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System User rwx
+ elif [ "$1" == "System" ] && [[ "$2" == "User" ]]
+ then
+ if [ "$3" == "rwx" ]
+ then
+ return 0
+ fi
+ # System User::Home rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == "User::Home" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System _ rwx
+ elif [ "$1" == "System" ] && [[ "$2" == "_" ]]
+ then
+
+ if [ "$3" == "rwx" ]
+ then
+ return 0
+ fi
+ # System ^ rwxa
+ elif [ "$1" == "System" ] && [[ "$2" == "^" ]]
+ then
+ if [ "$3" == "rwxa" ]
+ then
+ return 0
+ fi
+ # User _ rxl
+ elif [ "$1" == "User" ] && [[ "$2" == "_" ]]
+ then
+ if [ "$3" == "rwl" ]
+ then
+ return 0
+ fi
+ # User System wx
+ elif [ "$1" == "User" ] && [[ "$2" == "System" ]]
+ then
+ if [ "$3" == "wx" ]
+ then
+ return 0
+ fi
+ # User System::Run rwxat
+ elif [ "$1" == "User" ] && [[ "$2" == "System::Run" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # User System::Log rwxa
+ elif [ "$1" == "User" ] && [[ "$2" == "System::Log" ]]
+ then
+ if [ "$3" == "rwxa" ]
+ then
+ return 0
+ fi
+ # User System::Shared rxl
+ elif [ "$1" == "User" ] && [[ "$2" == "System::Shared" ]]
+ then
+ if [ "$3" == "rxl" ]
+ then
+ return 0
+ fi
+ # User User::Home rwxat
+ elif [ "$1" == "User" ] && [[ "$2" == "User::Home" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System::Privileged System rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System::Privileged System::Shared rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Shared" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System::Privileged System::Run rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Run" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System::Privileged System::Log rwxa
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Log" ]]
+ then
+ if [ "$3" == "rwxa" ]
+ then
+ return 0
+ fi
+ # System::Privileged User::Home rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Home" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System::Privileged User::App::Shared rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::App::Shared" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System::Privileged _ rwx
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "_" ]]
+ then
+ if [ "$3" == "rwx" ]
+ then
+ return 0
+ fi
+ # _ System::Privileged wx
+ elif [ "$1" == "_" ] && [[ "$2" == "System::Privileged" ]]
+ then
+ if [ "$3" == "wx" ]
+ then
+ return 0
+ fi
+ # System System::Privileged rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == "System::Privileged" ]]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # ^ System::Privileged rwxa
+ elif [ "$1" == "^" ] && [[ "$2" == "System::Privileged" ]]
+ then
+ if [ "$3" == "rwxa" ]
+ then
+ return 0
+ fi
+ # System::Privileged ^ rwxa
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "^" ]]
+ then
+ if [ "$3" == "rwxa" ]
+ then
+ return 0
+ fi
+ # User System::Privileged wx
+ elif [ "$1" == "User" ] && [ "$2" == "System::Privileged" ]
+ then
+ if [ "$3" == "wx" ]
+ then
+ return 0
+ fi
+ # System::Privileged User rwx
+ elif [ "$1" == "System::Privileged" ] && [ "$2" == "User" ]
+ then
+ if [ "$3" == "rwx" ]
+ then
+ return 0
+ fi
+ # System::Privileged User::App::Shared rwxat
+ elif [ "$1" == "System::Privileged" ] && [ "$2" == "User::App::Shared" ]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # User::Shell System wx
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "System" ]
+ then
+ if [ "$3" == "wx" ]
+ then
+ return 0
+ fi
+ # User::Shell,System::Shared,rxl
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "System::Shared" ]
+ then
+ if [ "$3" == "rxl" ]
+ then
+ return 0
+ fi
+ # User::Shell,System::Run,rxl
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "System::Run" ]
+ then
+ if [ "$3" == "rxl" ]
+ then
+ return 0
+ fi
+ # User::Shell,System::Log,w
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "System::Log" ]
+ then
+ if [ "$3" == "w" ]
+ then
+ return 0
+ fi
+ # User::Shell,User,wx
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "User" ]
+ then
+ if [ "$3" == "wx" ]
+ then
+ return 0
+ fi
+ # User::Shell,User::Home,rxl
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "User::Home" ]
+ then
+ if [ "$3" == "rxl" ]
+ then
+ return 0
+ fi
+ # User::Shell,User::App::Shared,rwxat
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "User::App::Shared" ]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # User,User::Shell,rwxat
+ elif [ "$1" == "User" ] && [ "$2" == "User::Shell" ]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # User,User::App::Shared,rwxat
+ elif [ "$1" == "User" ] && [ "$2" == "User::App::Shared" ]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System::Privileged,User::Shell,rwxat
+ elif [ "$1" == "System::Privileged" ] && [ "$2" == "User::Shell" ]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System,User::Shell,rwxat
+ elif [ "$1" == "System" ] && [ "$2" == "User::Shell" ]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
+ # System,User::App::Shared,rwxat
+ elif [ "$1" == "System" ] && [ "$2" == "User::App::Shared" ]
+ then
+ if [ "$3" == "rwxat" ]
+ then
+ return 0
+ fi
fi
- # System ^ rwxa
- elif [ "$1" == "System" ] && [[ "$2" == "^" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # User _ rxl
- elif [ "$1" == "User" ] && [[ "$2" == "_" ]]
- then
- if [ "$3" == "rwl" ]
- then
- return 0
- fi
- # User System wx
- elif [ "$1" == "User" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # User System::Run rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # User System::Log rwxa
- elif [ "$1" == "User" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # User System::Shared rxl
- elif [ "$1" == "User" ] && [[ "$2" == "System::Shared" ]]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- # User User::Home rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "User::Home" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # app <-> app rwxat cross package
- elif [[ "$1" == *"::App::"* ]] && [[ "$2" == *"::App::"* ]]
- then
- appname1=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
- appname2=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
- pkgname1=$(/usr/bin/sqlite3 $dbpath "select DISTINCT pkg_name from user_app_pkg_view where app_name='$appname1';")
- pkgname2=$(/usr/bin/sqlite3 $dbpath "select DISTINCT pkg_name from user_app_pkg_view where app_name='$appname2';")
- if [ "$pkgname1" == "$pkgname2" ] && [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged System rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged System::Shared rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Shared" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged System::Run rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged System::Log rwxa
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # System::Privileged User::Home rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Home" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged User::App::Shared rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::App::Shared" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged _ rwx
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "_" ]]
- then
- if [ "$3" == "rwx" ]
- then
- return 0
- fi
- # _ System::Privileged wx
- elif [ "$1" == "_" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # System System::Privileged rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # ^ System::Privileged rwxa
- elif [ "$1" == "^" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # System::Privileged ^ rwxa
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "^" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # User System::Privileged wx
- elif [ "$1" == "User" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # System::Privileged User rwx
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User" ]]
- then
- if [ "$3" == "rwx" ]
- then
- return 0
- fi
- # System::Privileged ~PKG~ rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"::Pkg::"* ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged ~PKG~::RO rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged ~PKG~::SharedRO rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"::Pkg::"*"::SharedRO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged User::App::Shared rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::App::Shared" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged ~APP~ rwx
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"::App::"* ]]
- then
- if [ "$3" == "rwx" ]
- then
- return 0
- fi
- # ~APP~ System::Privileged wx
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "System::Privileged" ]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # System::Privileged ~AUTHOR~ rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"Author"* ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- fi
- EXCEPTION_CHECK $1 $2 $3
+ EXCEPTION_CHECK $1 $2 $3
- if [ "$?" == 0 ]
- then
- /bin/echo "$1,$2,$3" >> $log_file
- fi
+ if [ "$?" == 0 ]
+ then
+ /bin/echo "$1,$2,$3" >> $log_file
+ fi
}
function RULE_CHECK_APPLY_PATH
{
- /usr/bin/cat $SMACK_RULE_APPLY_PATH | while read line
- do
- subject=$(/bin/echo $line | /usr/bin/cut -f 1 -d " ")
- object=$(/bin/echo $line | /usr/bin/cut -f 2 -d " ")
- rule=$(/bin/echo $line | /usr/bin/cut -f 3 -d " ")
+ /usr/bin/cat $SMACK_RULE_APPLY_PATH | while read line
+ do
+ subject=$(/bin/echo $line | /usr/bin/cut -f 1 -d " ")
+ object=$(/bin/echo $line | /usr/bin/cut -f 2 -d " ")
+ rule=$(/bin/echo $line | /usr/bin/cut -f 3 -d " ")
- RULE_CHECK $subject $object $rule
- done
+ RULE_CHECK $subject $object $rule
+ done
}
if [ ! -d $log_dir ]; then
- /bin/mkdir $log_dir
+ /bin/mkdir $log_dir
fi
if [ ! -d $result_dir ]; then
- /bin/mkdir $result_dir
+ /bin/mkdir $result_dir
fi
if [ -e $result_file ]
function RULE_CHECK
{
- # System ~PKG~ rwxat
- if [ "$1" == "System" ] && [[ "$2" == *"::Pkg::"* ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System ~PKG~::RO rwxat
- elif [ "$1" == "System" ] && [[ "$2" == *"::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System ~PKG~::SharedRO rwxat
- elif [ "$1" == "System" ] && [[ "$2" == *"::Pkg::"*"::SharedRO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # User ~PKG~ rwxat
- elif [ "$1" == "User" ] && [[ "$2" == *"::Pkg::"* ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # User ~PKG~::RO rwxat
- elif [ "$1" == "User" ] && [[ "$2" == *"::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # User ~PKG~::SharedRO rwxat
- elif [ "$1" == "User" ] && [[ "$2" == *"::Pkg::"*"::SharedRO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System User::App::Shared rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "User::App::Shared" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System ~APP~ rwx
- elif [ "$1" == "System" ] && [[ "$2" == *"::App::"* ]]
- then
- if [ "$3" == "rwx---" ]
- then
- return 0
- fi
- # ~APP~ System wx
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "System" ]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # ~APP~ System::Shared rxl
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "System::Shared" ]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- # ~APP~ System::Run rwxat
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "System::Run" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # ~APP~ System::Log rwxa
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "System::Log" ]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # ~APP~ _ l
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "_" ]
- then
- if [ "$3" == "-----l" ]
- then
- return 0
- fi
- # ~APP~ User::App::Shared rwxat
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "User::App::Shared" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # User User::App::Shared rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "User::App::Shared" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # User ~APP~ rwx
- elif [ "$1" == "User" ] && [[ "$2" == *"App"* ]]
- then
- if [ "$3" == "rwx---" ]
- then
- return 0
- fi
- # ~APP~ User wx
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "User" ]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # ~APP~ User::Home rxl
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "User::Home" ]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- # SharedRO
- # ~App~ ~Pkg~::SharedRO rwxat : same app and pkg
- # App ~Pkg~::SharedRO rx : diffrent app and pkg
- elif [[ "$1" == *"::App::"* ]] && [[ "$2" == *"::Pkg::"*"::SharedRO" ]]
- then
- pkgname=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
- appname=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
- pkgname_db=$(/usr/bin/sqlite3 $dbpath "select DISTINCT pkg_name from user_app_pkg_view where app_name='$appname';")
-
- if [ "$pkgname" == "$pkgname_db" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- else
- if [ "$3" == "r-x---" ]
- then
- return 0
- fi
- fi
- # ~APP~ ~PKG~::RO rxl
- elif [[ "$1" == *"::App::"* ]] && [[ "$2" == *"::Pkg::"*"::RO" ]]
- then
- pkgname=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
- appname=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
- pkgname_db=$(/usr/bin/sqlite3 $dbpath "select DISTINCT pkg_name from user_app_pkg_view where app_name='$appname';")
-
- if [ "$pkgname" == "$pkgname_db" ]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- fi
- # ~APP~ ~PKG~ rwxat
- elif [[ "$1" == *"::App::"* ]] && [[ "$2" == *"::Pkg::"* ]]
- then
- pkgname=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
- appname=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
- pkgname_db=$(/usr/bin/sqlite3 $dbpath "select DISTINCT pkg_name from user_app_pkg_view where app_name='$appname';")
-
- if [ "$pkgname" == "$pkgname_db" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- fi
- #~APP~ ~AUTHOR~ rwxat
- elif [[ "$1" == *"::App::"* ]] && [[ "$2" == *"Author"* ]]
- then
- authorID=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
- appname=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
- authorID_db=$(/usr/bin/sqlite3 $dbpath "select DISTINCT author_id from user_app_pkg_view where app_name='$appname';")
-
- if [ "$authorID" == "$authorID_db" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- fi
- # User ~AUTHOR~ rwxat
- elif [ "$1" == "User" ] && [[ "$2" == *"Author"* ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System ~AUTHOR~ rwxat
- elif [ "$1" == "System" ] && [[ "$2" == *"Author"* ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # From here, default 3-Domain Rule Check
- # _ System rwxa
- elif [ "$1" == "^" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # ^ System::Log rwxa
- elif [ "$1" == "^" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # ^ System::Run rwxat
- elif [ "$1" == "^" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # _ System wx
- elif [ "$1" == "_" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # _ System::Run rwxat
- elif [ "$1" == "_" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System System::Log rwxa
- elif [ "$1" == "System" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # System System::Run rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System System::Shared rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "System::Shared" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System User rwx
- elif [ "$1" == "System" ] && [[ "$2" == "User" ]]
- then
- if [ "$3" == "rwx---" ]
- then
- return 0
- fi
- # System User::Home rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "User::Home" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System _ rxl
- elif [ "$1" == "System" ] && [[ "$2" == "_" ]]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- if [ "$3" == "rwx---" ]
- then
- return 0
- fi
+ #System ~PROCESS~ rwx
+ #System ~PATH_RW~ rwxat
+ #need to be checked
+ if [ "$1" == "System" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwx---" ] || [ "$3" == "rwxat-" ] # should be checked
+ then
+ return 0
+ fi
+ #System::Privileged ~PROCESS~ rwx
+ #System::Privileged ~PATH_RW~ rwxat
+ #need to be checked
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwx---" ] || [ "$3" == "rwxat-" ] # should be checked
+ then
+ return 0
+ fi
+ #~PROCESS~ System wx
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System" ]
+ then
+ if [ "$3" == "-wx---" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ System::Privileged wx
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System::Privileged" ]
+ then
+ if [ "$3" == "-wx---" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ System::Shared rxl
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System::Shared" ]
+ then
+ if [ "$3" == "r-x--l" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ System::Run rwxat
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System::Run" ]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ System::Log rwxa
+ elif [[ "$1" == "User::Pkg:"* ]] && [ "$2" == "System::Log" ]
+ then
+ if [ "$3" == "rwxa--" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ _ l
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "_" ]
+ then
+ if [ "$3" == "-----l" ]
+ then
+ return 0
+ fi
+ #User ~PROCESS~ rwx
+ #need to be checked later
+ elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwx---" ] || [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ User wx
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "User" ]
+ then
+ if [ "$3" == "-wx---" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ User::Home rxl
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "User::Home" ]
+ then
+ if [ "$3" == "r-x--l" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ User::App::Shared rwxat
+ elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "User::App::Shared" ]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ ~PATH_RO~ rxl
+ elif [[ "$1" == "User::Pkg::"* ]] && [[ "$2" == "User::Pkg"*"::RO" ]]
+ then
+ if [ "$3" == "r-x--l" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ ~PATH_SHARED_RO~ rwxat (self)
+ elif [[ "$1" == "User::Pkg::"* ]] && [[ "$2" == "$1""::SharedRO" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ ~PATH_SHARED_RO~ rx (other)
+ elif [[ "$1" == "User::Pkg::"* ]] && [[ "$2" == "User::Pkg"*"::SharedRO" ]] && [[ "$2" != "$1""::SharedRO" ]]
+ then
+ if [ "$3" == "r-x---" ]
+ then
+ return 0
+ fi
+ #~PROCESS~ ~PATH_TRUSTED~ rwxat
+ elif [[ "$1" == *"::Pkg::"* ]] && [[ "$2" == *"::Author::"* ]]
+ then
+ authorID=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
+ pkgname=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
+ authorID_db=$(/usr/bin/sqlite3 $dbpath "select DISTINCT author_id from user_app_pkg_view where pkg_name='$pkgname';")
+ if [ "$authorID" == "$authorID_db" ]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ fi
+ #User ~PATH_TRUSTED~ rwxat
+ elif [ "$1" == "User" ] && [[ "$2" == *"::Author::"* ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #System ~PATH_TRUSTED~ rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == *"::Author::"* ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #System::Privileged ~PATH_TRUSTED~ rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"::Author::"* ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #System ~PATH_RO~ rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #System ~PATH_SHARED_RO~ rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == "User::Pkg::"*"::SharedRO" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #System::Privileged ~PATH_RW~ rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #System::Privileged ~PATH_RO~ rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #System::Privileged ~PATH_SHARED_RO~ rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"*"::SharedRO" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #User ~PATH_RW~ rwxat
+ elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #User ~PATH_RO~ rwxat
+ elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg::"*"::RO" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ #User ~PATH_SHARED_RO~ rwxat
+ elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg"*"::SharedRO" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # From here, default 3-Domain Rule Check
+ # _ System rwxa
+ elif [ "$1" == "^" ] && [[ "$2" == "System" ]]
+ then
+ if [ "$3" == "rwxa--" ]
+ then
+ return 0
+ fi
+ # ^ System::Log rwxa
+ elif [ "$1" == "^" ] && [[ "$2" == "System::Log" ]]
+ then
+ if [ "$3" == "rwxa--" ]
+ then
+ return 0
+ fi
+ # ^ System::Run rwxat
+ elif [ "$1" == "^" ] && [[ "$2" == "System::Run" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # _ System wx
+ elif [ "$1" == "_" ] && [[ "$2" == "System" ]]
+ then
+ if [ "$3" == "-wx---" ]
+ then
+ return 0
+ fi
+ # _ System::Run rwxat
+ elif [ "$1" == "_" ] && [[ "$2" == "System::Run" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System System::Log rwxa
+ elif [ "$1" == "System" ] && [[ "$2" == "System::Log" ]]
+ then
+ if [ "$3" == "rwxa--" ]
+ then
+ return 0
+ fi
+ # System System::Run rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == "System::Run" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System System::Shared rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == "System::Shared" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System User rwx
+ elif [ "$1" == "System" ] && [[ "$2" == "User" ]]
+ then
+ if [ "$3" == "rwx---" ]
+ then
+ return 0
+ fi
+ # System User::Home rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == "User::Home" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System _ rwx
+ elif [ "$1" == "System" ] && [[ "$2" == "_" ]]
+ then
- elif [ "$1" == "System" ] && [[ "$2" == "^" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
-
- # User _ rxl
- elif [ "$1" == "User" ] && [[ "$2" == "_" ]]
- then
- if [ "$3" == "rw---l" ]
- then
- return 0
- fi
- # User System wx
- elif [ "$1" == "User" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # User System::Run rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # User System::Log rwxa
- elif [ "$1" == "User" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # User System::Shared rxl
- elif [ "$1" == "User" ] && [[ "$2" == "System::Shared" ]]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- # User User::Home rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "User::Home" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # app <-> app rwxat cross package
- elif [[ "$1" == *"::App::"* ]] && [[ "$2" == *"::App::"* ]]
- then
- appname1=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
- appname2=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
- pkgname1=$(/usr/bin/sqlite3 $dbpath "select DISTINCT pkg_name from user_app_pkg_view where app_name='$appname1';")
- pkgname2=$(/usr/bin/sqlite3 $dbpath "select DISTINCT pkg_name from user_app_pkg_view where app_name='$appname2';")
- if [ "$pkgname1" == "$pkgname2" ] && [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged System rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged System::Shared rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Shared" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged System::Run rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged System::Log rwxa
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # System::Privileged User::Home rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Home" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged User::App::Shared rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::App::Shared" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged _ rwx
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "_" ]]
- then
- if [ "$3" == "rwx---" ]
- then
- return 0
- fi
- # _ System::Privileged wx
- elif [ "$1" == "_" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # System System::Privileged rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # ^ System::Privileged rwxa
- elif [ "$1" == "^" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # System::Privileged ^ rwxa
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "^" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # User System::Privileged wx
- elif [ "$1" == "User" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # System::Privileged User rwx
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User" ]]
- then
- if [ "$3" == "rwx---" ]
- then
- return 0
- fi
- # System::Privileged ~PKG~ rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"::Pkg::"* ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged ~PKG~::RO rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged ~PKG~::SharedRO rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"::Pkg::"*"::SharedRO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged User::App::Shared rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::App::Shared" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged ~APP~ rwx
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"::App::"* ]]
- then
- if [ "$3" == "rwx---" ]
- then
- return 0
- fi
- # ~APP~ System::Privileged wx
- elif [[ "$1" == *"::App::"* ]] && [ "$2" == "System::Privileged" ]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # System::Privileged ~AUTHOR~ rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"Author"* ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- fi
+ if [ "$3" == "rwx---" ]
+ then
+ return 0
+ fi
+ # System ^ rwxa
+ elif [ "$1" == "System" ] && [[ "$2" == "^" ]]
+ then
+ if [ "$3" == "rwxa--" ]
+ then
+ return 0
+ fi
+ # User _ rxl
+ elif [ "$1" == "User" ] && [[ "$2" == "_" ]]
+ then
+ if [ "$3" == "rw---l" ]
+ then
+ return 0
+ fi
+ # User System wx
+ elif [ "$1" == "User" ] && [[ "$2" == "System" ]]
+ then
+ if [ "$3" == "-wx---" ]
+ then
+ return 0
+ fi
+ # User System::Run rwxat
+ elif [ "$1" == "User" ] && [[ "$2" == "System::Run" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # User System::Log rwxa
+ elif [ "$1" == "User" ] && [[ "$2" == "System::Log" ]]
+ then
+ if [ "$3" == "rwxa--" ]
+ then
+ return 0
+ fi
+ # User System::Shared rxl
+ elif [ "$1" == "User" ] && [[ "$2" == "System::Shared" ]]
+ then
+ if [ "$3" == "r-x--l" ]
+ then
+ return 0
+ fi
+ # User User::Home rwxat
+ elif [ "$1" == "User" ] && [[ "$2" == "User::Home" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System::Privileged System rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System::Privileged System::Shared rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Shared" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System::Privileged System::Run rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Run" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System::Privileged System::Log rwxa
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Log" ]]
+ then
+ if [ "$3" == "rwxa--" ]
+ then
+ return 0
+ fi
+ # System::Privileged User::Home rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Home" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System::Privileged User::App::Shared rwxat
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::App::Shared" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System::Privileged _ rwx
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "_" ]]
+ then
+ if [ "$3" == "rwx---" ]
+ then
+ return 0
+ fi
+ # _ System::Privileged wx
+ elif [ "$1" == "_" ] && [[ "$2" == "System::Privileged" ]]
+ then
+ if [ "$3" == "-wx---" ]
+ then
+ return 0
+ fi
+ # System System::Privileged rwxat
+ elif [ "$1" == "System" ] && [[ "$2" == "System::Privileged" ]]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # ^ System::Privileged rwxa
+ elif [ "$1" == "^" ] && [[ "$2" == "System::Privileged" ]]
+ then
+ if [ "$3" == "rwxa--" ]
+ then
+ return 0
+ fi
+ # System::Privileged ^ rwxa
+ elif [ "$1" == "System::Privileged" ] && [[ "$2" == "^" ]]
+ then
+ if [ "$3" == "rwxa--" ]
+ then
+ return 0
+ fi
+ # User System::Privileged wx
+ elif [ "$1" == "User" ] && [ "$2" == "System::Privileged" ]
+ then
+ if [ "$3" == "-wx---" ]
+ then
+ return 0
+ fi
+ # System::Privileged User rwx
+ elif [ "$1" == "System::Privileged" ] && [ "$2" == "User" ]
+ then
+ if [ "$3" == "rwx---" ]
+ then
+ return 0
+ fi
+ # System::Privileged User::App::Shared rwxat
+ elif [ "$1" == "System::Privileged" ] && [ "$2" == "User::App::Shared" ]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # User::Shell System wx
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "System" ]
+ then
+ if [ "$3" == "-wx---" ]
+ then
+ return 0
+ fi
+ # User::Shell,System::Shared,rxl
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "System::Shared" ]
+ then
+ if [ "$3" == "r-x--l" ]
+ then
+ return 0
+ fi
+ # User::Shell,System::Run,rxl
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "System::Run" ]
+ then
+ if [ "$3" == "r-x--l" ]
+ then
+ return 0
+ fi
+ # User::Shell,System::Log,w
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "System::Log" ]
+ then
+ if [ "$3" == "-w----" ]
+ then
+ return 0
+ fi
+ # User::Shell,User,wx
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "User" ]
+ then
+ if [ "$3" == "-wx---" ]
+ then
+ return 0
+ fi
+ # User::Shell,User::Home,rxl
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "User::Home" ]
+ then
+ if [ "$3" == "r-x--l" ]
+ then
+ return 0
+ fi
+ # User::Shell,User::App::Shared,rwxat
+ elif [ "$1" == "User::Shell" ] && [ "$2" == "User::App::Shared" ]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # User,User::Shell,rwxat
+ elif [ "$1" == "User" ] && [ "$2" == "User::Shell" ]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # User,User::App::Shared,rwxat
+ elif [ "$1" == "User" ] && [ "$2" == "User::App::Shared" ]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System::Privileged,User::Shell,rwxat
+ elif [ "$1" == "System::Privileged" ] && [ "$2" == "User::Shell" ]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System,User::Shell,rwxat
+ elif [ "$1" == "System" ] && [ "$2" == "User::Shell" ]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ # System,User::App::Shared,rwxat
+ elif [ "$1" == "System" ] && [ "$2" == "User::App::Shared" ]
+ then
+ if [ "$3" == "rwxat-" ]
+ then
+ return 0
+ fi
+ fi
- EXCEPTION_CHECK $1 $2 $3
+ EXCEPTION_CHECK $1 $2 $3
- if [ "$?" == 0 ]
- then
- /bin/echo "$1,$2,$3" >> $log_file
- fi
+ if [ "$?" == 0 ]
+ then
+ /bin/echo "$1,$2,$3" >> $log_file
+ fi
}
function RULE_CHECK_APPLY_PATH
{
- cat $SMACK_RULE_APPLY_PATH1 $SMACK_RULE_APPLY_PATH2 | while read line
- do
- subject=$(/bin/echo $line | /usr/bin/cut -f 1 -d " ")
- object=$(/bin/echo $line | /usr/bin/cut -f 2 -d " ")
- rule=$(/bin/echo $line | /usr/bin/cut -f 3 -d " ")
+ cat $SMACK_RULE_APPLY_PATH1 $SMACK_RULE_APPLY_PATH2 | while read line
+ do
+ subject=$(/bin/echo $line | /usr/bin/cut -f 1 -d " ")
+ object=$(/bin/echo $line | /usr/bin/cut -f 2 -d " ")
+ rule=$(/bin/echo $line | /usr/bin/cut -f 3 -d " ")
- RULE_CHECK $subject $object $rule
- done
+ RULE_CHECK $subject $object $rule
+ done
}
if [ ! -d $log_dir ]; then
- /bin/mkdir $log_dir
+ /bin/mkdir $log_dir
fi
if [ ! -d $result_dir ]; then
- /bin/mkdir $result_dir
+ /bin/mkdir $result_dir
fi
if [ -e $result_file ]
projects / platform / core / security / security-config.git / commitdiff